Dang, I completely forgot this. Don't necessarily need netmon for capturing:
Netsh will capture packets too! https://isc.sans.edu/diary/19409 On Tue, Nov 8, 2016 at 6:57 AM, Christopher Bodnar < [email protected]> wrote: > I was in the same boat, really never noticed this, until I had to do some > testing for port access with a new environment we are spinning up. If you > look for it on the domain controllers you will definitely see it. > > > > > > That all seems to be working fine in all our domains. I’m still struggling > to find out why a test using Portqry or LDP fails in our production > domains, but not in the new domains. I see the request get to the domain > controller, but the DC doesn’t respond. Very odd. > > > > Thanks > > Chris > > > > > > *From:* [email protected] [mailto:listsadmin@lists. > myitforum.com] *On Behalf Of *Michael B. Smith > *Sent:* Friday, November 04, 2016 3:40 PM > *To:* [email protected] > *Subject:* RE: [NTSysADM] LDAP Ping question > > > > To the OP: is 389 UDP open on your older DCs in the firewall? > > > > (Honestly, I didn’t know 389 UDP was ever used for LDAP. I thought it was > just a TCP protocol.) > > > > *From:* [email protected] [mailto:listsadmin@lists. > myitforum.com <[email protected]>] *On Behalf Of *Kurt Buff > *Sent:* Friday, November 4, 2016 2:28 PM > *To:* ntsysadm > *Subject:* Re: [NTSysADM] LDAP Ping question > > > > Don't the answer to your question, but I suspect you'll get a much better > response on the Active Directory list at activedir.org > > Kurt > > > > On Fri, Nov 4, 2016 at 8:57 AM, Christopher Bodnar < > [email protected]> wrote: > > OK, I’ve done some more testing. I loaded WireShark on a domain > controller, and restarted a member server, and filtered for udp.port==389 > . It is working as expected in all domains. So that is good. What I don’t > understand is why a test using LDP fails in my production domains, but not > in the new domain I just stood up. In Wireshark the UDP request is received > by the DC, but it never responds. > > > > *From:* Christopher Bodnar > *Sent:* Friday, November 04, 2016 10:14 AM > *To:* [email protected] > *Subject:* RE: [NTSysADM] LDAP Ping question > > > > Now I’m really confused. After doing some more research on this, it looks > like LDP is a good tool for testing. From a new forest that I just spun up, > it works fine: > > > > ld = cldap_open("x.x.x.x", 389); > > Established connection to x.x.x.x. > > Retrieving base DSA information... > > Getting 1 entries: > > Dn: (RootDSE) > > configurationNamingContext: CN=Configuration,DC=widgets,DC=com; > > currentTime: 11/4/2016 1:17:52 AM Coordinated Universal Time; > > defaultNamingContext: DC=widgets,DC=com; > > > > But in our production domains, from every client machine I’ve tested from, > against every domain controller, it fails: > > 0x0 = ldap_unbind(ld); > > ld = cldap_open("x.x.x.x", 389); > > Established connection to x.x.x.x. > > Retrieving base DSA information... > > Server error: <empty> > > Error<94>: ldap_parse_result failed: No result present in message > > Getting 0 entries: > > > > Yet as far as I can tell everything in the domain is working as expected. > From the reading I did on the DC Locator process, it’s my understanding > that if you can’t find a DC using this process….. it should fail. Which > would mean nobody would be able to logon. Is it possible that this is > working, but the test I’m doing from client machines isn’t really a valid > test? Is it possible that it flips to TCP if it can’t connect over UDP? I > plan on putting Wireshark on a domain controller and looking for this. > > > > > > Very strange. > > > > Thanks > > Chris > > > > *From:* [email protected] [mailto:listsadmin@lists. > myitforum.com <[email protected]>] *On Behalf Of *Micheal > Espinola Jr > *Sent:* Thursday, November 03, 2016 9:19 PM > *To:* [email protected] > *Subject:* Re: [NTSysADM] LDAP Ping question > > > > As I understand it, LDAP Ping is more of a handshake test - not an open > port check. > > > -- > Espi > > > > > > On Thu, Nov 3, 2016 at 2:56 PM, Christopher Bodnar < > [email protected]> wrote: > > I understand the function of an LDAP Ping over UDP/389 in the DC Locator > process, but shouldn’t that respond to a Portqry? When I test this I > receive the following: > > > > UDP port 389 (unknown service): LISTENING or FILTERED > > > > I’ve tested this in 3 separate forests against multiple domain controllers > and I have gotten the same results in every case. All are 2008 R2 DFL/FFL. > A Netstat –an does show this: > > > > UDP x.x.x.x:389 *:* > > > > Which seems to be correct for a UDP port that is also listening on TCP? I > don’t notice anything wrong in the domains, was just going through some > firewall port requests and tested this. Is Portqry not a real test of this > function? > > > > My next step will be to run a WireShark trace on a DC to look for this > traffic. > > > > > > Thanks > > > > > > > > *Christopher Bodnar* > Enterprise Architect II, Corporate Office of Technology:Enterprise > Architecture and Engineering Services > > Tel 610-807-6459 > 3900 Burgess Place, Bethlehem, PA 18017 > [email protected] > > > > * The Guardian Life Insurance Company of America* > > * www.guardianlife.com <http://www.guardianlife.com/>* > > > > > ------------------------------ > > ----------------------------------------- This message, and any > attachments to it, may contain information that is privileged, > confidential, and exempt from disclosure under applicable law. If the > reader of this message is not the intended recipient, you are notified that > any use, dissemination, distribution, copying, or communication of this > message is strictly prohibited. If you have received this message in error, > please notify the sender immediately by return e-mail and delete the > message and any attachments. Thank you. > > > ------------------------------ > > ----------------------------------------- This message, and any > attachments to it, may contain information that is privileged, > confidential, and exempt from disclosure under applicable law. If the > reader of this message is not the intended recipient, you are notified that > any use, dissemination, distribution, copying, or communication of this > message is strictly prohibited. If you have received this message in error, > please notify the sender immediately by return e-mail and delete the > message and any attachments. Thank you. > > > > ------------------------------ > ----------------------------------------- This message, and any > attachments to it, may contain information that is privileged, > confidential, and exempt from disclosure under applicable law. If the > reader of this message is not the intended recipient, you are notified that > any use, dissemination, distribution, copying, or communication of this > message is strictly prohibited. If you have received this message in error, > please notify the sender immediately by return e-mail and delete the > message and any attachments. Thank you. > >
